CN112650085A - Method and apparatus for monitoring industrial control system - Google Patents
Method and apparatus for monitoring industrial control system Download PDFInfo
- Publication number
- CN112650085A CN112650085A CN201910967825.3A CN201910967825A CN112650085A CN 112650085 A CN112650085 A CN 112650085A CN 201910967825 A CN201910967825 A CN 201910967825A CN 112650085 A CN112650085 A CN 112650085A
- Authority
- CN
- China
- Prior art keywords
- data
- monitored object
- industrial control
- control system
- operating system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012544 monitoring process Methods 0.000 title claims abstract description 76
- 238000000034 method Methods 0.000 title claims abstract description 45
- 230000008859 change Effects 0.000 claims description 98
- 238000003860 storage Methods 0.000 claims description 14
- 238000004590 computer program Methods 0.000 claims description 9
- 238000012512 characterization method Methods 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 14
- 230000000694 effects Effects 0.000 description 8
- 238000004891 communication Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 6
- 230000008569 process Effects 0.000 description 6
- 238000004519 manufacturing process Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 238000007405 data analysis Methods 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000009826 distribution Methods 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 206010063385 Intellectualisation Diseases 0.000 description 1
- 238000004140 cleaning Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000009776 industrial production Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 239000000126 substance Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B19/00—Programme-control systems
- G05B19/02—Programme-control systems electric
- G05B19/04—Programme control other than numerical control, i.e. in sequence controllers or logic controllers
- G05B19/042—Programme control other than numerical control, i.e. in sequence controllers or logic controllers using digital processors
- G05B19/0428—Safety, monitoring
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/20—Pc systems
- G05B2219/24—Pc safety
- G05B2219/24024—Safety, surveillance
Landscapes
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Engineering & Computer Science (AREA)
- Automation & Control Theory (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method and a device for monitoring an industrial control system, and relates to the technical field of computers. One embodiment of the method comprises: collecting characteristic data of a monitored object in an industrial control system; acquiring fingerprint data of a monitored object; and comparing the characteristic data with the fingerprint data to determine that the industrial control system is operated safely or has a security flaw. The implementation mode can carry out specific equipment monitoring on the industrial control system, and can more directly and effectively monitor the information safety of the industrial control system.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a method and a device for monitoring an industrial control system.
Background
With the continuous deepening and fusion of new information technology to each business link of industrial production activities, industrial control systems gradually move to interconnection, openness and intellectualization. The industrial control system has information security, economic development, social stability and national security. While industrial control systems have significantly increased productivity, industrial control systems face increasingly severe information security threats.
Therefore, an accurate, effective and real-time monitoring tool is not available, so that the industrial control security hole monitoring system can effectively monitor the security problem of the industrial control system in real time.
In the process of implementing the invention, the inventor finds that at least the following problems exist in the prior art:
in the prior art, only list presentation is carried out on known information security vulnerabilities, specific equipment in an industrial control system is not monitored, and the information security vulnerabilities of the industrial control system cannot be found in time.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method and an apparatus for monitoring an industrial control system, which can perform device-specific monitoring on the industrial control system, and can monitor information security of the industrial control system more directly and effectively.
To achieve the above object, according to an aspect of an embodiment of the present invention, there is provided a method of monitoring an industrial control system.
The method for monitoring the industrial control system comprises the following steps: collecting characteristic data of a monitored object in an industrial control system; acquiring fingerprint data of the monitored object; and comparing the characteristic data with the fingerprint data to determine that the industrial control system is operated safely or has a security vulnerability.
Optionally, the acquiring characteristic data of the monitored object in the industrial control system comprises: acquiring the characteristics of a monitored object in an industrial control system by using a network scanner to obtain an acquisition result; the acquisition result comprises an IP address, an open port number, a service protocol of the open port and an operating system version; analyzing the acquisition result by using a data analyzer to obtain characteristic data of the monitored object; the feature data includes IP address data, open port service data, and operating system data.
Optionally, the acquiring the characteristics of the monitored object in the industrial control system by using the network scanner comprises: scanning a network target address library by using a network scanner, determining an online monitored object, and acquiring an IP address of the online monitored object; carrying out port scanning on the online monitored object by using a network scanner, and acquiring a port number of an open port of the online monitored object; acquiring a service protocol of an open port of the online monitored object; and scanning the operating system of the online monitored object by using a network scanner, and acquiring the version of the operating system of the online monitored object.
Optionally, comparing the feature data with the fingerprint data to determine that the industrial control system is safely operated or has a security vulnerability includes: comparing the characteristic data of the online monitored object with the fingerprint data of the online monitored object to obtain a monitoring result of the online monitored object; the monitoring result comprises host computer change data, port change data, service change data and operating system change data; and determining that the industrial control system runs safely or has a security vulnerability based on the host change data, the port change data, the service change data or the operating system change data.
Optionally, the fingerprint data includes initial IP address data, initial open port data, service data of an initial open port, and initial operating system data; comparing the characteristic data of the online monitored object with the fingerprint data of the online monitored object to obtain a monitoring result of the online monitored object, wherein the monitoring result comprises the following steps: comparing the IP address data with the initial IP address data to obtain the host change data; comparing the open port data with the initial open port data to obtain the port change data; comparing the service data of the open port with the service data of the initial open port to obtain the service change data; and comparing the operating system data with the initial operating system data to obtain the operating system change data.
To achieve the above object, according to another aspect of the embodiments of the present invention, there is provided an apparatus for monitoring an industrial control system.
The device for monitoring the industrial control system comprises the following components: the acquisition module is used for acquiring characteristic data of a monitored object in the industrial control system; the acquisition module is used for acquiring the fingerprint data of the monitored object; and the comparison module is used for comparing the characteristic data with the fingerprint data so as to determine that the industrial control system runs safely or has security holes.
Optionally, the acquisition module is further configured to: acquiring the characteristics of a monitored object in an industrial control system by using a network scanner to obtain an acquisition result; the acquisition result comprises an IP address, an open port number, a service protocol of the open port and an operating system version; analyzing the acquisition result by using a data analyzer to obtain characteristic data of the monitored object; the feature data includes IP address data, open port service data, and operating system data.
Optionally, the acquisition module is further configured to: scanning a network target address library by using a network scanner, determining an online monitored object, and acquiring an IP address of the online monitored object; carrying out port scanning on the online monitored object by using a network scanner, and acquiring a port number of an open port of the online monitored object; acquiring a service protocol of an open port of the online monitored object; and scanning the operating system of the online monitored object by using a network scanner, and acquiring the version of the operating system of the online monitored object.
Optionally, the alignment module is further configured to: comparing the characteristic data of the online monitored object with the fingerprint data of the online monitored object to obtain a monitoring result of the online monitored object; the monitoring result comprises host computer change data, port change data, service change data and operating system change data; and determining that the industrial control system runs safely or has a security vulnerability based on the host change data, the port change data, the service change data or the operating system change data.
Optionally, the fingerprint data includes initial IP address data, initial open port data, service data of an initial open port, and initial operating system data; and the alignment module is further configured to: comparing the IP address data with the initial IP address data to obtain the host change data; comparing the open port data with the initial open port data to obtain the port change data; comparing the service data of the open port with the service data of the initial open port to obtain the service change data; and comparing the operating system data with the initial operating system data to obtain the operating system change data.
To achieve the above object, according to still another aspect of an embodiment of the present invention, there is provided an electronic device for monitoring an industrial control system.
An electronic device for monitoring an industrial control system according to an embodiment of the present invention includes: one or more processors; a storage device for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to implement a method of monitoring an industrial control system of an embodiment of the invention.
To achieve the above object, according to still another aspect of embodiments of the present invention, there is provided a computer-readable storage medium.
A computer-readable storage medium of an embodiment of the present invention has stored thereon a computer program that, when executed by a processor, implements a method of monitoring an industrial control system of an embodiment of the present invention.
One embodiment of the above invention has the following advantages or benefits: the characteristic data of the monitored object in the industrial control system is collected; acquiring fingerprint data of a monitored object; the technical means of comparing the characteristic data with the fingerprint data to determine the safe operation or the existence of the security loophole of the industrial control system is adopted, so that the technical problem that the information security loophole of the industrial control system cannot be found in time is solved, and the technical effects of monitoring the industrial control system specifically to equipment and monitoring the information security of the industrial control system more directly and effectively are achieved.
Further effects of the above-mentioned non-conventional alternatives will be described below in connection with the embodiments.
Drawings
The drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:
FIG. 1 is a schematic diagram of the main steps of a method of monitoring an industrial control system according to an embodiment of the invention;
fig. 2 is a schematic diagram of an implementation framework of a method of monitoring an industrial control system according to an embodiment of the invention.
FIG. 3 is a schematic illustration of collected characterization data for a method of monitoring an industrial control system according to an embodiment of the present invention.
FIG. 4 is a schematic view of a main flow of a method of monitoring an industrial control system according to one referential embodiment of the present invention;
FIG. 5 is a schematic diagram of the major modules of a device monitoring an industrial control system according to an embodiment of the present invention;
FIG. 6 is a schematic diagram of an application of a method of monitoring an industrial control system according to one referenced embodiment of the present invention;
FIG. 7 is an exemplary system architecture diagram in which embodiments of the present invention may be employed;
fig. 8 is a schematic structural diagram of a computer system suitable for implementing a terminal device or a server according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present invention are described below with reference to the accompanying drawings, in which various details of embodiments of the invention are included to assist understanding, and which are to be considered as merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
It should be noted that the embodiments of the present invention and the technical features of the embodiments may be combined with each other without conflict.
The industrial control system faces an increasingly serious information security threat while remarkably improving the productivity, and when a security hole occurs in the industrial control system, if the security hole cannot be found and processed in time, immeasurable loss is caused to activities such as production and the like. However, at present, there is no monitoring tool that can accurately, effectively and in real time guarantee the information security of the industrial control system. Therefore, the embodiment of the invention provides a method for monitoring an industrial control system, which monitors the characteristics of a single monitored object in the industrial control system, so as to effectively monitor the information safety of the industrial control system in real time.
FIG. 1 is a schematic diagram of the main steps of a method of monitoring an industrial control system according to an embodiment of the invention.
As shown in fig. 1, the method for monitoring an industrial control system according to an embodiment of the present invention mainly includes the following steps:
step S101: characteristic data of a monitored object in an industrial control system is collected.
The industrial control system is an automatic control system consisting of a computer and an industrial process control component. Devices such as computers and industrial process control components in industrial control systems, which are objects to be monitored. The acquisition of the characteristic data of the monitored object can be realized based on a large-scale network scanning technology, namely, a plurality of monitored objects can be scanned in parallel, so that the characteristic data of the monitored objects can be acquired. The information such as the type, the content, the application, the general view of the components and the like of the equipment in the industrial control system can be comprehensively known through the characteristic data of the monitored object, the industrial control system can be monitored in real time and efficiently, service and support can be provided for production activities, and the information safety of the industrial control system is guaranteed.
In the embodiment of the present invention, step S101 may be implemented by the following steps: acquiring the characteristics of a monitored object in an industrial control system by using a network scanner to obtain an acquisition result; and analyzing the acquired result by using a data analyzer to obtain the characteristic data of the monitored object. The collection result may include an IP address (internet protocol address) of the monitored object, an open port number, a service protocol of the open port, and an operating system version. The feature data may include static information such as IP address data and operating system data, and dynamic information such as open port data and open port service data.
As the acquisition result is a file in xml (extensible markup language) format, data analysis and data cleansing operation are required to be performed on the file to obtain a file in data (backup class file for data saving) format, and feature data of the monitored object is obtained based on the IP address, the open port number, the service protocol of the open port, the version of the operating system, and the like of the monitored object.
For the characteristic of the monitored object in the industrial control system collected by the network scanner, the network scanner can be used for scanning the network target address library to determine the online monitored object and collecting the IP address of the online monitored object; then, a network scanner is used for carrying out port scanning on the online monitored object, the port number of the open port of the online monitored object is collected, and meanwhile, the service protocol of the open port of the online monitored object is collected; and utilizing a network scanner to scan the operating system of the online monitored object, and acquiring the version of the operating system of the online monitored object.
In the network destination address library, IP addresses of all objects in the industrial control system are recorded. Firstly, through the scanning of the network target address library by the network scanner, the active IP address in the network target address library can be found, so as to find the running monitored object, i.e. the on-line monitored object. The monitored object corresponding to the inactive IP address is an inactive device, and has no influence on the information safety of the industrial control system, so that only the operating monitored object can be detected subsequently. Then, the network scanner collects the current IP address of the online monitored object, and simultaneously, the network scanner may perform port scanning and operating system scanning on the online monitored object at the same time, and collect the port number and operating system version of the open port of the online monitored object. And finally, acquiring the service protocol of the open port of the online monitored object from the open port of the online monitored object, thereby obtaining the acquisition result of the online monitored object. The network scanner can flexibly configure the quantity and the geographical distribution according to the scale and the time requirement of the acquisition task, thereby realizing large-scale parallel acquisition.
Step S102: fingerprint data of the object is acquired.
The fingerprint data of the monitored object can be acquired in advance before the industrial control system is monitored, and can also be acquired in the process of monitoring the industrial control system. The fingerprint data is a feature of the object when the industrial control system is built, that is, an initial feature of the object. The fingerprint data may include initial IP address data, initial open port data, service data of the initial open port, initial operating system data, and the like.
Step S103: and comparing the characteristic data with the fingerprint data to determine that the industrial control system is operated safely or has a security flaw.
The fingerprint data can be used as a criterion for judgment, which features of the monitored object are changed and which features are not changed can be obtained by comparing the feature data with the fingerprint data, if all the features of the monitored object are not changed or are changed normally, for example, if a service protocol corresponding to an open port of the monitored object is updated normally, the service protocol belongs to normal change, the safe operation of the industrial control system can be determined, otherwise, the industrial control system can be determined to have a security vulnerability, and the monitored object needs to be processed or further inspected and the like.
In the embodiment of the present invention, step S103 may be implemented by the following steps: comparing the characteristic data of the online monitored object with the fingerprint data of the online monitored object to obtain a monitoring result of the online monitored object; and determining that the industrial control system is safely operated or has a security hole based on the monitoring result.
The monitoring result comprises host computer change data, port change data, service change data and operating system change data. When determining whether the industrial control system has a security vulnerability, the method can determine whether the industrial control system has a security vulnerability by selecting data serving as a basis for determination from the monitoring results according to one or more items of data in host change data, port change data, service change data or operating system change data, namely according to the resource state (namely, the load condition), the geographic position, the operating system type or the service type (namely, the specific service corresponding to the service protocol of the open port) of the online monitored object.
Specifically, the comparing the feature data of the online monitored object with the fingerprint data of the online monitored object in this step to obtain the monitoring result of the online monitored object may include: comparing the IP address data with the initial IP address data to obtain host change data; comparing the open port data with the initial open port data to obtain port change data; comparing the service data of the open port with the service data of the initial open port to obtain service change data; and comparing the operating system data with the initial operating system data to obtain operating system change data.
The monitoring result records the IP address of the online monitored object, the port number of the open port, the service protocol of the open port and the change condition of the operating system, if the characteristic data of the monitored object acquired each time is consistent with the fingerprint data of the monitored object, all the characteristics of the monitored object are not changed, and if the characteristic data of the monitored object acquired each time is inconsistent with the fingerprint data of the monitored object, a certain characteristic or all the characteristics of the monitored object are changed normally. The host change data includes an initial IP address of the online monitored object and an IP address detected each time, the port change data includes a port number of an initial open port of the online monitored object and a port number of an open port detected each time, the service change data includes a service protocol of the initial open port of the online monitored object and a service protocol of the open port detected each time, and the operating system change data includes an initial operating system version of the online monitored object and an operating system version detected each time.
According to the method for monitoring the industrial control system, the characteristic data of the monitored object in the industrial control system is collected; acquiring fingerprint data of a monitored object; the technical means of comparing the characteristic data with the fingerprint data to determine the safe operation or the existence of the security loophole of the industrial control system is adopted, so that the technical problem that the information security loophole of the industrial control system cannot be found in time is solved, and the technical effects of monitoring the industrial control system specifically to equipment and monitoring the information security of the industrial control system more directly and effectively are achieved.
Fig. 2 is a schematic diagram of an implementation framework of a method of monitoring an industrial control system according to an embodiment of the invention.
As shown in fig. 2, in the method for monitoring an industrial control system according to the embodiment of the present invention, tasks for collecting feature data, such as host discovery, port discovery, service detection, and OS detection, may be issued to a network scanner by a task controller through a task interface.
After receiving a task through a task interface of a task controller, a network scanner scans a network target address library to find an active IP address in the network target address library (namely an online monitored object in an industrial control system), and then performs IP address scanning, port scanning, open port library scanning, operating system scanning and the like on the online monitored object to obtain characteristic data such as IP address data, open port data, service data of an open port, operating system data and the like of the online monitored object. The network scanner uploads the characteristic data through an uploading interface of the data parser. After the first scanning round is completed (i.e. active IP addresses in the network target address library are found), subsequent IP address scanning, port scanning, open port library scanning, operating system scanning and the like can be executed in parallel. And the network scanner can flexibly configure the quantity and the geographical distribution according to the scale and the time requirement of the acquisition task, thereby realizing large-scale parallel acquisition.
The data analyzer analyzes the characteristic data and respectively stores the analyzed effective characteristic data into network application acquisition result libraries such as an IP online library, an open port library, a service version library, an operating system library and the like.
When the industrial control system is safe, the task controller can acquire the characteristic data in the network application acquisition result library (namely an IP online library, an open port library, a service version library, an operating system library and the like), and compare the characteristic data with the fingerprint data in the network application fingerprint library to determine that the industrial control system runs safely or has security holes.
FIG. 3 is a schematic illustration of collected characterization data for a method of monitoring an industrial control system according to an embodiment of the present invention. Fig. 3 shows a process of collecting feature data:
firstly, a task controller calls a network scanner to scan a network target address library (namely host discovery) so as to discover an active IP address in the network target address library, thereby discovering an operating monitored object (namely an online monitored object), acquiring a current IP address of the online monitored object, and writing the IP address into an IP online library;
then, the network scanner performs port scanning on the online monitored object, collects the port number of the open port of the online monitored object, and writes the port number into the open port library;
meanwhile, the network scanner scans the operating system of the online monitored object, collects the operating system version of the online monitored object, and writes the operating system version into the operating system library;
and finally, the network scanner scans the open port library, acquires the service protocol of the open port of the online monitored object, and writes the service protocol into the service version library.
Fig. 4 is a schematic view of a main flow of a method of monitoring an industrial control system according to one referential embodiment of the present invention.
As shown in fig. 4, the method for monitoring an industrial control system according to the embodiment of the present invention can be implemented by the following steps:
step S401: the method comprises the following steps of acquiring the characteristics of a monitored object in an industrial control system by utilizing a network scanner to obtain an acquisition result:
the acquisition of the feature data of the monitored object can be realized based on a large-scale network scanning technology, that is, a plurality of network scanners can be used for simultaneously scanning a plurality of monitored objects in parallel, so that the features of the monitored objects are acquired, and an acquisition result is obtained, wherein the acquisition result comprises the IP address, the open port number, the service protocol of the open port and the operating system version of the monitored object. The method comprises the steps that a network target address library is scanned by a network scanner, an online monitored object is determined, and an IP address of the online monitored object is collected; carrying out port scanning on the online monitored object by using a network scanner, acquiring a port number of an open port of the online monitored object, and acquiring a service protocol of the open port of the online monitored object; and scanning the operating system of the online monitored object by using a network scanner, and acquiring the version of the operating system of the online monitored object.
Step S402: analyzing the acquisition result by using a data analyzer to obtain the characteristic data of the monitored object:
and performing data analysis and data cleaning operation on the acquisition result in the xml format to obtain a file in the data format, and obtaining the characteristic data of the monitored object based on the IP address, the open port number, the service protocol of the open port, the version of an operating system and the like of the monitored object.
Step S403: acquiring fingerprint data of a monitored object:
fingerprint data of the monitored object may be acquired in advance or during monitoring of the industrial control system.
Step S404: comparing the characteristic data of the online monitored object with the fingerprint data of the online monitored object to obtain a monitoring result of the online monitored object:
the monitoring result can comprise host change data, port change data, service change data or operating system change data; comparing the IP address data with the initial IP address data to obtain host change data; comparing the open port data with the initial open port data to obtain port change data; comparing the service data of the open port with the service data of the initial open port to obtain service change data; and comparing the operating system data with the initial operating system data to obtain operating system change data.
Step S405: and determining that the industrial control system safely runs or has a security vulnerability based on the host computer change data, the port change data, the service change data or the operating system change data.
As shown in fig. 5, in practical applications, the system method for monitoring an industrial control system according to an embodiment of the present invention may be implemented based on a task controller, a network scanner, a data parser, a network application fingerprint library, a network application collection result library and a network target address library, where the network application collection result library includes an IP online library, an open port library, a service version library and an operating system library, where:
the task controller is used for controlling the network scanner;
the network scanner is used for scanning the network target address library, determining an online monitored object and acquiring the IP address of the online monitored object; carrying out port scanning on the online monitored object, and acquiring the port number of an open port of the online monitored object; scanning the open port library, and acquiring a service protocol of an open port of an online monitored object; scanning an operating system of the online monitored object, and acquiring the version of the operating system of the online monitored object; acquiring fingerprint data of the monitored object in the network application fingerprint database;
the data analyzer is used for analyzing the IP address of the online monitored object to obtain IP address data and storing the IP address data into an IP online library; analyzing the port number of an open port of the online monitored object to obtain open port data, and storing the open port data into an open port library; analyzing a service protocol of an open port of an online monitored object to obtain service data of the open port, and storing the service data of the open port into a service version library; analyzing the operating system version of the online monitored object to obtain operating system data, and storing the operating system data into an operating system library;
the task controller is further configured to: acquiring data of a network application fingerprint library, an IP online library, an open port library, a service version library and an operating system library; comparing the IP address data of the online monitored object with the initial IP address data to obtain host change data; or comparing the open port data of the online monitored object with the initial open port data to obtain port change data; or comparing the service data of the open port of the online monitored object with the service data of the initial open port to obtain service change data; or comparing the operating system data of the online monitored object with the initial operating system data to obtain operating system change data; and determining that the industrial control system is safe to operate or has a security vulnerability based on the host change data, the port change data, the service change data or the operating system change data.
FIG. 6 is a schematic diagram of the major modules of a device monitoring an industrial control system according to an embodiment of the present invention.
As shown in fig. 6, the apparatus 600 for monitoring an industrial control system according to an embodiment of the present invention includes: an acquisition module 601, an acquisition module 602, and a comparison module 603.
Wherein the content of the first and second substances,
the acquisition module 601 is used for acquiring characteristic data of a monitored object in the industrial control system;
an obtaining module 602, configured to obtain fingerprint data of the monitored object;
a comparison module 603, configured to compare the feature data with the fingerprint data to determine that the industrial control system is operated safely or has a security vulnerability.
In this embodiment of the present invention, the acquisition module 601 is further configured to: acquiring the characteristics of a monitored object in an industrial control system by using a network scanner to obtain an acquisition result; the acquisition result comprises an IP address, an open port number, a service protocol of the open port and an operating system version; analyzing the acquisition result by using a data analyzer to obtain characteristic data of the monitored object; the feature data includes IP address data, open port service data, and operating system data.
In an embodiment of the present invention, the acquisition module 601 is further configured to: scanning a network target address library by using a network scanner, determining an online monitored object, and acquiring an IP address of the online monitored object; carrying out port scanning on the online monitored object by using a network scanner, and acquiring a port number of an open port of the online monitored object; acquiring a service protocol of an open port of the online monitored object; and scanning the operating system of the online monitored object by using a network scanner, and acquiring the version of the operating system of the online monitored object.
In an embodiment of the present invention, the alignment module 603 is further configured to: comparing the characteristic data of the online monitored object with the fingerprint data of the online monitored object to obtain a monitoring result of the online monitored object; the monitoring result comprises host computer change data, port change data, service change data and operating system change data; and determining that the industrial control system runs safely or has a security vulnerability based on the host change data, the port change data, the service change data or the operating system change data.
Further, the fingerprint data includes initial IP address data, initial open port data, service data of an initial open port, and initial operating system data; and the alignment module 603 is further configured to: comparing the IP address data with the initial IP address data to obtain the host change data; comparing the open port data with the initial open port data to obtain the port change data; comparing the service data of the open port with the service data of the initial open port to obtain the service change data; and comparing the operating system data with the initial operating system data to obtain the operating system change data.
According to the device for monitoring the industrial control system, the characteristic data of the monitored object in the industrial control system is collected; acquiring fingerprint data of a monitored object; the technical means of comparing the characteristic data with the fingerprint data to determine the safe operation or the existence of the security loophole of the industrial control system is adopted, so that the technical problem that the information security loophole of the industrial control system cannot be found in time is solved, and the technical effects of monitoring the industrial control system specifically to equipment and monitoring the information security of the industrial control system more directly and effectively are achieved.
Fig. 7 illustrates an exemplary system architecture 700 of a method of monitoring an industrial control system or an apparatus for monitoring an industrial control system to which embodiments of the present invention may be applied.
As shown in fig. 7, the system architecture 700 may include terminal devices 701, 702, 703, a network 704, and a server 705. The network 704 serves to provide a medium for communication links between the terminal devices 701, 702, 703 and the server 705. Network 704 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
A user may use the terminal devices 701, 702, 703 to interact with a server 705 over a network 704, to receive or send messages or the like. Various applications may be installed on the terminal devices 701, 702, 703.
The terminal devices 701, 702, 703 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The server 705 may be a server that provides various services. The background management server can analyze and process the received data and feed back the processing result to the terminal equipment.
It should be noted that the method for monitoring the industrial control system provided by the embodiment of the present invention is generally executed by the server 705, and accordingly, the apparatus for monitoring the industrial control system is generally disposed in the server 705.
It should be understood that the number of terminal devices, networks, and servers in fig. 7 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
Referring now to FIG. 8, shown is a block diagram of a computer system 800 suitable for use with a terminal device implementing an embodiment of the present invention. The terminal device shown in fig. 8 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present invention.
As shown in fig. 8, the computer system 800 includes a Central Processing Unit (CPU)801 that can perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)802 or a program loaded from a storage section 808 into a Random Access Memory (RAM) 803. In the RAM 803, various programs and data necessary for the operation of the system 800 are also stored. The CPU 801, ROM 802, and RAM 803 are connected to each other via a bus 804. An input/output (I/O) interface 805 is also connected to bus 804.
The following components are connected to the I/O interface 805: an input portion 806 including a keyboard, a mouse, and the like; an output section 807 including a signal such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage portion 808 including a hard disk and the like; and a communication section 809 including a network interface card such as a LAN card, a modem, or the like. The communication section 809 performs communication processing via a network such as the internet. A drive 810 is also connected to the I/O interface 805 as necessary. A removable medium 811 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 810 as necessary, so that a computer program read out therefrom is mounted on the storage section 808 as necessary.
In particular, according to the embodiments of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program can be downloaded and installed from a network through the communication section 809 and/or installed from the removable medium 811. The computer program executes the above-described functions defined in the system of the present invention when executed by the Central Processing Unit (CPU) 801.
It should be noted that the computer readable medium shown in the present invention can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules described in the embodiments of the present invention may be implemented by software or hardware. The described modules may also be provided in a processor, which may be described as: a processor comprises an acquisition module, an acquisition module and a comparison module. The names of these modules do not in some cases constitute a limitation on the module itself, and for example, the acquisition module may also be described as a "module that acquires fingerprint data of the monitored object".
As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be separate and not incorporated into the device. The computer readable medium carries one or more programs which, when executed by a device, cause the device to comprise: step S101: collecting characteristic data of a monitored object in an industrial control system; step S102: acquiring fingerprint data of a monitored object; step S103: and comparing the characteristic data with the fingerprint data to determine that the industrial control system is operated safely or has a security flaw.
According to the technical scheme of the embodiment of the invention, the characteristic data of the monitored object in the industrial control system is collected; acquiring fingerprint data of a monitored object; the technical means of comparing the characteristic data with the fingerprint data to determine the safe operation or the existence of the security loophole of the industrial control system is adopted, so that the technical problem that the information security loophole of the industrial control system cannot be found in time is solved, and the technical effects of monitoring the industrial control system specifically to equipment and monitoring the information security of the industrial control system more directly and effectively are achieved.
The above-described embodiments should not be construed as limiting the scope of the invention. Those skilled in the art will appreciate that various modifications, combinations, sub-combinations, and substitutions can occur, depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (12)
1. A method of monitoring an industrial control system, comprising:
collecting characteristic data of a monitored object in an industrial control system;
acquiring fingerprint data of the monitored object;
and comparing the characteristic data with the fingerprint data to determine that the industrial control system is operated safely or has a security vulnerability.
2. The method of claim 1, wherein collecting characteristic data of a monitored object in an industrial control system comprises:
acquiring the characteristics of a monitored object in an industrial control system by using a network scanner to obtain an acquisition result; the acquisition result comprises an IP address, an open port number, a service protocol of the open port and an operating system version;
analyzing the acquisition result by using a data analyzer to obtain characteristic data of the monitored object; the feature data includes IP address data, open port service data, and operating system data.
3. The method of claim 2, wherein acquiring the characteristics of the monitored object in the industrial control system using the network scanner comprises:
scanning a network target address library by using a network scanner, determining an online monitored object, and acquiring an IP address of the online monitored object;
carrying out port scanning on the online monitored object by using a network scanner, and acquiring a port number of an open port of the online monitored object; acquiring a service protocol of an open port of the online monitored object;
and scanning the operating system of the online monitored object by using a network scanner, and acquiring the version of the operating system of the online monitored object.
4. The method of claim 3, wherein comparing the characterization data to the fingerprint data to determine that an industrial control system is operating safely or has a security breach comprises:
comparing the characteristic data of the online monitored object with the fingerprint data of the online monitored object to obtain a monitoring result of the online monitored object; the monitoring result comprises host computer change data, port change data, service change data and operating system change data;
and determining that the industrial control system runs safely or has a security vulnerability based on the host change data, the port change data, the service change data or the operating system change data.
5. The method of claim 4, wherein the fingerprint data includes initial IP address data, initial open port data, service data for an initial open port, and initial operating system data; and
comparing the characteristic data of the online monitored object with the fingerprint data of the online monitored object to obtain a monitoring result of the online monitored object, wherein the monitoring result comprises the following steps:
comparing the IP address data with the initial IP address data to obtain the host change data;
comparing the open port data with the initial open port data to obtain the port change data;
comparing the service data of the open port with the service data of the initial open port to obtain the service change data;
and comparing the operating system data with the initial operating system data to obtain the operating system change data.
6. An apparatus for monitoring an industrial control system, comprising:
the acquisition module is used for acquiring characteristic data of a monitored object in the industrial control system;
the acquisition module is used for acquiring the fingerprint data of the monitored object;
and the comparison module is used for comparing the characteristic data with the fingerprint data so as to determine that the industrial control system runs safely or has security holes.
7. The apparatus of claim 6, wherein the acquisition module is further configured to:
acquiring the characteristics of a monitored object in an industrial control system by using a network scanner to obtain an acquisition result; the acquisition result comprises an IP address, an open port number, a service protocol of the open port and an operating system version;
analyzing the acquisition result by using a data analyzer to obtain characteristic data of the monitored object; the feature data includes IP address data, open port service data, and operating system data.
8. The apparatus of claim 7, wherein the acquisition module is further configured to:
scanning a network target address library by using a network scanner, determining an online monitored object, and acquiring an IP address of the online monitored object;
carrying out port scanning on the online monitored object by using a network scanner, and acquiring a port number of an open port of the online monitored object; acquiring a service protocol of an open port of the online monitored object;
and scanning the operating system of the online monitored object by using a network scanner, and acquiring the version of the operating system of the online monitored object.
9. The apparatus of claim 8, wherein the alignment module is further configured to:
comparing the characteristic data of the online monitored object with the fingerprint data of the online monitored object to obtain a monitoring result of the online monitored object; the monitoring result comprises host computer change data, port change data, service change data and operating system change data;
and determining that the industrial control system runs safely or has a security vulnerability based on the host change data, the port change data, the service change data or the operating system change data.
10. The apparatus of claim 9, wherein the fingerprint data comprises initial IP address data, initial open port data, service data for an initial open port, and initial operating system data; and
the alignment module is further configured to:
comparing the IP address data with the initial IP address data to obtain the host change data;
comparing the open port data with the initial open port data to obtain the port change data;
comparing the service data of the open port with the service data of the initial open port to obtain the service change data;
and comparing the operating system data with the initial operating system data to obtain the operating system change data.
11. An electronic device for monitoring an industrial control system, comprising:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-5.
12. A computer-readable medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910967825.3A CN112650085A (en) | 2019-10-12 | 2019-10-12 | Method and apparatus for monitoring industrial control system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910967825.3A CN112650085A (en) | 2019-10-12 | 2019-10-12 | Method and apparatus for monitoring industrial control system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112650085A true CN112650085A (en) | 2021-04-13 |
Family
ID=75342988
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910967825.3A Pending CN112650085A (en) | 2019-10-12 | 2019-10-12 | Method and apparatus for monitoring industrial control system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112650085A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150195775A1 (en) * | 2012-08-10 | 2015-07-09 | Lauri Aarne Johannes Wirola | Wlan radiomap with access points uniquely identified by combination of bssid and mcc |
| CN106888194A (en) * | 2015-12-16 | 2017-06-23 | 国家电网公司 | Intelligent grid IT assets security monitoring systems based on distributed scheduling |
| CN108696544A (en) * | 2018-09-05 | 2018-10-23 | 杭州安恒信息技术股份有限公司 | Security breaches detection method based on industrial control system and device |
| CN108809951A (en) * | 2018-05-16 | 2018-11-13 | 南京大学 | A kind of penetration testing frame suitable for industrial control system |
| CN109063486A (en) * | 2018-08-01 | 2018-12-21 | 杭州安恒信息技术股份有限公司 | A kind of safe penetration test method and system based on PLC device fingerprint recognition |
-
2019
- 2019-10-12 CN CN201910967825.3A patent/CN112650085A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150195775A1 (en) * | 2012-08-10 | 2015-07-09 | Lauri Aarne Johannes Wirola | Wlan radiomap with access points uniquely identified by combination of bssid and mcc |
| CN106888194A (en) * | 2015-12-16 | 2017-06-23 | 国家电网公司 | Intelligent grid IT assets security monitoring systems based on distributed scheduling |
| CN108809951A (en) * | 2018-05-16 | 2018-11-13 | 南京大学 | A kind of penetration testing frame suitable for industrial control system |
| CN109063486A (en) * | 2018-08-01 | 2018-12-21 | 杭州安恒信息技术股份有限公司 | A kind of safe penetration test method and system based on PLC device fingerprint recognition |
| CN108696544A (en) * | 2018-09-05 | 2018-10-23 | 杭州安恒信息技术股份有限公司 | Security breaches detection method based on industrial control system and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111190888A (en) | Method and device for managing graph database cluster | |
| US20160224400A1 (en) | Automatic root cause analysis for distributed business transaction | |
| US10084637B2 (en) | Automatic task tracking | |
| CN113900834B (en) | Data processing method, device, equipment and storage medium based on Internet of things technology | |
| CN112333044B (en) | Shunting equipment performance test method, device and system, electronic equipment and medium | |
| US20160323160A1 (en) | Detection of node.js memory leaks | |
| CN110928934A (en) | Data processing method and device for business analysis | |
| US11449408B2 (en) | Method, device, and computer program product for obtaining diagnostic information | |
| CN112650085A (en) | Method and apparatus for monitoring industrial control system | |
| CN114039860B (en) | Method and system for quickly constructing server network topology graph | |
| CN111651330B (en) | Data acquisition method, data acquisition device, electronic equipment and computer readable storage medium | |
| CN111866137B (en) | Data acquisition dynamic control method and device, electronic equipment and medium | |
| CN114049065A (en) | Data processing method, device and system | |
| CN114070889A (en) | Configuration method, traffic forwarding method, device, storage medium, and program product | |
| CN113468218A (en) | Method and device for monitoring and managing database slow SQL | |
| CN113254325A (en) | Test case processing method and device | |
| CN110597724A (en) | Calling method and device of application security test component, server and storage medium | |
| CN112541183B (en) | Data processing method and device, edge computing equipment and storage medium | |
| US12003371B1 (en) | Server configuration anomaly detection | |
| CN115190008B (en) | Fault processing method, fault processing device, electronic equipment and storage medium | |
| CN115378746B (en) | Network intrusion detection rule generation method, device, equipment and storage medium | |
| CN115296895B (en) | Request response method and device, storage medium and electronic equipment | |
| CN112769599B (en) | Automatic resource access method, system and readable storage medium | |
| US20240171601A1 (en) | Method for assurance and monitoring of continuous active security data availability | |
| JP7302223B2 (en) | Script detection device, method and program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210413 |